MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ModiLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
SHA3-384 hash: 300325799cc77d3f2f0887218714d101304e8150246a21e6bae6126a0b40385fc0d95d25ef67d2487a600ba63078da67
SHA1 hash: 15a3327cf4dbed7ac0826ad4dcc1a646ad178d56
MD5 hash: 95d358f8885d996790fc1269701acb4f
humanhash: stream-hot-queen-don
File name:03425617829092.exe
Download: download sample
Signature ModiLoader
Create hunting rule
File size:950'784 bytes
First seen:2022-09-14 05:39:36 UTC
Last seen:2022-09-23 09:50:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f8a00b1efc3715d236fb93566315cbcf (2 x ModiLoader, 1 x FormBook)
ssdeep 12288:rKx1eucAcAfIS6GTbL/T5C3DoCHjsG83q/rhf7fvQBdR:rqMKISpTXVuoT3q/lvkd
Threatray 16'054 similar samples on MalwareBazaar
TLSH T1E715AFE5B2F0CA33C053097ECEA772956B6EBF555C14B84E63F53908DE38190382A65B
TrID 84.1% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
4.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
4.1% (.SCR) Windows screen saver (13101/52/3)
2.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 33d0d89696d8d033 (14 x ModiLoader, 9 x DBatLoader, 6 x Formbook)
Reporter lowmal3
Tags:exe ModiLoader

Intelligence

File Origin
# of uploads :
5
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309905/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.41399.29908.4311.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Creating a process with a hidden window
Launching cmd.exe command interpreter
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/37613/overview
Behaviour
MalwareBazaar
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
keylogger overlay
Link:
https://www.filescan.io/uploads/632169af1594be804f8620bd/reports/12b2b9fa-b802-4226-84ae-4beaf3e3a308/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2fd7954b-6845-4740-a96d-b436d43ec27d
Result
Threat name:
DBatLoader, FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1069993
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Yara detected DBatLoader
Yara detected FormBook
Yara detected UAC Bypass using ComputerDefaults
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 702525 Sample: 03425617829092.exe Startdate: 14/09/2022 Architecture: WINDOWS Score: 100 39 www.boardsandbeamsdecor.com 2->39 61 Multi AV Scanner detection for domain / URL 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->65 67 6 other signatures 2->67 11 03425617829092.exe 1 18 2->11         started        signatures3 process4 dnsIp5 47 ph-files.fe.1drv.com 11->47 49 onedrive.live.com 11->49 51 ghettg.ph.files.1drv.com 11->51 33 C:\Users\Public\Libraries\Wdmtmkfa.exe, PE32 11->33 dropped 35 C:\Users\...\Wdmtmkfa.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\Public\Libraries\Wdmtmkfa, data 11->37 dropped 79 Writes to foreign memory regions 11->79 81 Allocates memory in foreign processes 11->81 83 Creates a thread in another existing process (thread injection) 11->83 85 Injects a PE file into a foreign processes 11->85 16 iexpress.exe 11->16         started        file6 signatures7 process8 signatures9 53 Modifies the context of a thread in another process (thread injection) 16->53 55 Maps a DLL or memory area into another process 16->55 57 Sample uses process hollowing technique 16->57 59 2 other signatures 16->59 19 explorer.exe 16->19 injected process10 process11 21 wlanext.exe 19->21         started        24 Wdmtmkfa.exe 14 19->24         started        dnsIp12 69 Modifies the context of a thread in another process (thread injection) 21->69 71 Maps a DLL or memory area into another process 21->71 73 Tries to detect virtualization through RDTSC time measurements 21->73 27 cmd.exe 1 21->27         started        41 l-0003.l-dc-msedge.net 13.107.43.12, 443, 49720, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->41 43 ph-files.fe.1drv.com 24->43 45 2 other IPs or domains 24->45 75 Multi AV Scanner detection for dropped file 24->75 77 Machine Learning detection for dropped file 24->77 29 iexpress.exe 24->29         started        signatures13 process14 process15 31 conhost.exe 27->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3/
Threat name:
Win32.Trojan.RealProtect
Create hunting rule
Status:
Malicious
First seen:
2022-09-13 07:50:28 UTC
File Type:
PE (Exe)
Extracted files:
44
AV detection:
24 of 25 (96.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mhjnppfzmzlyl7kvogsuns5najxtjgqtryvdf4w353mq6veaucrq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Similar samples:
18d3b2043c0bbcb8af1d740837e13dbfbf803156a205df76ed824625d57158e4
ModiLoader
28ca5dea8ca246a61d262c54081363c158312e46634bcf4b886358ee08dee89f
ModiLoader
69d1c8462f71dd4283483577ba89fac2e505d549fd5c9f583194466ceda0d93c
ModiLoader
823668b847ae47d3210faeb01e11b10a81b2e6d84b0d47a34484fb6be8dfc67d
ModiLoader
bd06c34a413a4ca8e49ec57f8ea6f52f69eb16c4fce86db93761c4da50c94edc
ModiLoader
bd80461f8ced83b6ef02cc5e7c678418da890aed3941b48d42da4c1cab3ce39c
ModiLoader
c2a474ed468997ee83ecc163c0297d813466652e78a22b05129b8158fb19ede7
ModiLoader
d55b3acb7fbeaf698e8b940f755c1363224663da98feee5abf93872e979460e9
ModiLoader
ea40e7d13c60b9e59430c04c98eb834e0f64fc9f30cf9140726ca8713e843270
ModiLoader
eafff11f17167c7af139e43f9bffdb251cd5eec87d92cc93f0095b0f3eb38996
ModiLoader
+ 16'044 additional samples on MalwareBazaar
Result
Malware family:
xloader
Create hunting rule
Score:
  10/10
Tags:
family:modiloader family:xloader campaign:euv4 loader persistence rat trojan
Link:
https://tria.ge/reports/220914-gcwdvshda2/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
ModiLoader Second Stage
Xloader payload
ModiLoader, DBatLoader
Xloader
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5d40dee1-96df-4c25-bcc9-1ea735f07360
Unpacked files
SH256 hash:
002d54f655cf8f16866c478261daadd51896310839a7e3da98ace9873323c9fc
MD5 hash:
eb295d7d7804e778f9f5ae4783379ccc
SHA1 hash:
d1b9df6113a548dd362fc0cb611c78eef2124f73
Detections:
win_dbatloader_g1
Create hunting rule
Link:
https://www.unpac.me/results/0f92f521-06f4-4457-bf8f-ecc8e0598129/
Parent samples :
e678b49addfe3e9fa2c9836bf6d0cc3bed0310f87cdcafd0fce458985c5276c8
911c27a105a2e71591d12567053d8024f4c15c95ce4f1d67937ef1a3d723c263
7ff888a459a2476f9e3dfcaf8799f30bc24808d103606512503949b3ab818cc4
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
24b237c6dcd5b3f5cb3e687e4fa169fef7bce3f6fe1eb5a89bafd99656dfd353
4272fd59d96204a2d503f3356fe96fed2c6d3bf019c7ef25aacff0e1c36a758a
f3feaf830444cc6786b6d4e06bd4a2aef79519ebe3e336882d410268db96292c
e7f4fdb02b9f0f43c5325e8b0ea8ce07ee78c5aa63ccfb1892b079bbd2400874
c60e8a14abc81ae3f2ffbe04b32240a92b900107e4acc9eb88e43632aee1266c
44e94b15723fb3ee7cf9d710939d7fda2273622f2284e30cfa67d280a206eb62
SH256 hash:
61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3
MD5 hash:
95d358f8885d996790fc1269701acb4f
SHA1 hash:
15a3327cf4dbed7ac0826ad4dcc1a646ad178d56
Detections:
DbatLoaderStage1
Create hunting rule
Link:
https://www.unpac.me/results/0f92f521-06f4-4457-bf8f-ecc8e0598129/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

ModiLoader

zip d2fb954a8cbe7300e405cf3149b4807d67bae2c47370c55a0d3c34132838e9b2

ModiLoader

Executable exe 61d2d7bcb9665785fd5571a546cbad026f349a138e2a32f2dbeed90f5480a0a3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/309905/
  
Dropped by
SHA256 d2fb954a8cbe7300e405cf3149b4807d67bae2c47370c55a0d3c34132838e9b2
  
Dropped by
MD5 74dc78d6c4ada0579c2294dd49a31592

Comments